Impact
An unauthenticated attacker can exploit a Local File Inclusion flaw in the ThemeREX Dom theme versions 1.24 and earlier. By manipulating the file path parameter supplied to the vulnerable component, the attacker can read files from the server’s file system that are normally inaccessible to web applications. This vulnerability can expose sensitive configuration files, logs, or source code, compromising confidentiality and potentially enabling further attacks such as credential theft or code execution. The flaw is identified as CWE‑98, highlighting inadequate validation of absolute or relative file names from user input.
Affected Systems
The affected software is the ThemeREX Dom theme for WordPress. The vulnerability applies to all releases of Dom theme version 1.24 and earlier. Clients using any of these versions are at risk until an updated theme release that patches the issue is applied.
Risk and Exploitability
The CVSS score of 8.1 categorizes this as a high severity vulnerability. The EPSS score of less than 1% indicates a very low but nonzero likelihood of exploitation in the wild, and the issue is not listed in the CISA KEV catalog. The attacker does not require authentication, implying that the effective attack vector is remote over the web. Because the vulnerability involves local file inclusion, exploitation typically requires the attacker to discover a vulnerable endpoint or parameter, construct a suitable path traversal payload, and retrieve files from the server.
OpenCVE Enrichment